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DETAILED ACTION 

1. Applicant's amendment filed on April 22, 2005 has been entered. Claims 
1-37 are pending. Claims 1 , 14, and 27 are amended by the applicant. 

Claim Rejections - 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 103(a) which fomis the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

3. Claims 1-37 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Burns et al (US 5.931,947), and further in view of Cooper (US 5,737,516). 

a. Referring to claim 1: 
i. Burns teaches: 

(1) a first identification storing which first identification 
data that is unique an equipment and second identification data corresponding said first 
identification data been stored, wherein said first identification storing unit is formed in a 
single integrated circuit [i.e., referring to Figure 1, the device 1 also includes a 
storage media 8 and a request processor 9. The storage media 8 contains a 
subscriber list 10 and an object repository 11. The subscriber list 10 includes the 
subscriber ids of the clients that are able to create objects on the device, while 
the object repository 11 houses the network objects. Each object will have a 
unique id that will never be used again on this device even if the object is deleted, 
(column 6, lines 19-26)]; 

(2) a first transmitting/receiving transmitting distribution 
request data together with said first identification data read out from said first storing 
unit receiving transmitted data [i.e., referring again to Figure 1, the request 
processor 9 receives requests from the network, services them, and returns 
responses as provided in the flowchart of Figure 4. A request is a command sent 
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by a client to a network storage device to access data stored on It (column 6, 
lines 27-31)]; 

(3) a first data storing unit for storing the data received 
said first transmitting/receiving unit [i.e., the network storage devices of Burns' 
invention are used as repositories of remotely encrypted data, where each 
network storage device is an independent entity. All encryption is done by the 
network clients (the components of the network that request data from the 
devices), so that data that travels over the network is stored encrypted (column 5, 
lines 48-54)]; 

(4) a first signal processing unit for performing decoding 
process to the data read out from said first data storing unit based on said second 
identification data stored said first identification storing unit, wherein said first signal 
processing unit is formed in said single integrated circuit [i.e., all encryption is done 
by the network clients (the components of the network that request data from the 
devices), so that data that travels over the network is stored encrypted. The 
advantage of this approach is that data is encrypted or decrypted by the clients 
as opposed to having the encryption being done at both the devices and the 
clients (column 5, lines 51-57). Furthermore, Figure 3 provides a block diagram 
depiction of a plurality of data processing system attributes which may be utilized 
to uniquely identify a particular data processing system (whether a stand-alone or 
a node in a distributed data processing system), and which further can be utilized 
to generate in the machine identification value which is utilized to derive or 
generate a temporary access product key which may be utilized to gain access to 
an encrypted product for a particular predefined trial interval. A data processing 
system may include a particular system bus 60 architecture, a particular memory 
controller 74, bus controller 76, interrupt controller keyboard mouse controller 80, 
DMA controller 66, VGA video controller 82, parallel controller 84, serial controller 
86, diskette controller 88, and disk controller 82. Additionally, a plurality of empty 
or occupied slots 106 may be used to identify the particular data processing 
system. Each particular data processing system may have attributes which may 
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be derived from RAM ROM 68, or CMOS RAM 72 (column 7, lines 50-67 through 
column 8, line 1)]; 

(5) a first control unit for performing an operation to allow 
the data received said first transmitting/receiving unit to be stored into said first data 
storing unit and controlling the decoding process of the data read out from said first data 
storing unit by said first signal processing unit [i.e., a process controller, or a 
distributed computing system, which includes data storage and suitable 
programming means for operating in accordance with the devices and methods 
to be disclosed, also falls within the spirit and scope of the invention (column 5, 
lines 16-21). In addition, Figure 1 is a block diagram of a network storage device 
1, which is part of the secure array of encrypted devices, according to the 
invention. The device 1 is one of many similar devices attached to a network 2, 
along with the network clients (not shown). Each storage device 1 has a device 
owner for controlling access to the device's data (column 5, lines 60-65)]; 

(6) a second transmitting/receiving for receiving said first 
identification data and said distribution request data transmitted from said first 
transmitting/receiving unit and for transmitting the data; a second data storing unit in 
which a plurality of data stored and which outputs data corresponding said distribution 
request data; a second identification storing unit which the second identification data 
corresponding said transmitted first identification data has been stored; a second signal 
processing unit for performing an enciphering process the data outputted from said 
second data storing unit based on the second identification data readfrom said second 
identification storing unit; and a second control performing a reading control of said 
second identification data from said second storing unit based on said distribution 
request data and said first identification data which were transmitted and performing 
reading control of the data from said second data storing unit based on said distribution 
request data, wherein the data enciphered on the basis of said second identification 
data transmitted through said second transmitting/ receiving unit decoded by said first 
signal processing unit, and said first identification storing unit and said first signal 
processing unit are formed in said single integrated circuit [i.e., each object will have a 
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unique id that will never be used again on this device even if the object is deleted. 
Details on the layout of the network objects are described below in reference to in 
Figure 2 (column 6, lines 24-26). As each of the distributed file system would be a 
mirror image of each other, then it would contain a second data storing unit for 
storing a plurality of data (see Abstract, that is a plurality of data objects) from 
the first transmitting/receiving unit. It would also contain an encryption unit for 
encrypting data to be sent over an insecure network wherein the data enciphered 
is based on second identifier (column 6, lines 38-39). In addition, FIG. 4 is a 
block diagram depiction of a routine for encrypting software objects. The binary 
characters which make up software object 201 are supplied as an input to 
encryption engine 205. Real key 203 is utilized as an encryption key in encryption 
engine 205. The output of encryption engine 205 is an encrypted software object 
207. Encryption engine 205 may be any conventional encryption operation such 
as the published and well known DES algorithm; alternatively, the encryption 
engine 205 may be an exclusive-OR operation which randomizes software object 
201 (column 8, lines 57-67)]. 

ii. Although Burns teaches the claimed subject matter, as well 
as the network client performs all encryption and decryption of data and metadata 
(column 3, lines 52-53). he does not explicitly mention: 

(1) the decryption process is performed within the same 
circuit, unit, engine, or device. 

iii. On the other hand, Cooper teaches: 

(1) Figure 20 depicts in block diagram form the technique 
of utilizing a plurality of inputs within the user-controlled data processing system to 
derive the real key, which may be utilized to decrypt an encrypted software object. 

iii. It would have been obvious to a person having ordinary skill 
in the art at the time the invention was made to: 

(1) have modified the invention of Burns with the 
teachings of Cooper, if indeed it wasn't inherent in Burn's data decryption device, for 
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securing access to software objects, and in particular to techniques for temporarily 
encrypting and restricting access to software objects (column 1 , lines 37-39 of Cooper). 

iv. The ordinary skilled person would have been motivated to: 
(1) have modified the invention of Bums with the 
teachings of Cooper since it is also possible that unscrupulous individuals may post 
keys to publicly-accessible bulletin boards to allow great numbers of individuals to 
become unauthorized users. Typically, these types of breaches in security cannot be 
easily prevented, so vendors have been hesitant to distribute software for preview by 
potential customers (column 2, lines 20-25 of Cooper). 

b. Referring to claim 2: 

i. Burns further teaches: 

(1) wherein accounting information is transmitted from 
said first transmitting/receiving unit to said second transmitting/receiving unit, said 
second control controls the reading operation of said second identification data from 
said second storing unit based on said transmitting accounting information [i.e., 
typically, the network storage device is shipped with a device owner key in 
firmware and the owner is given the key with the device upon purchase. All keys 
pertaining to access to the device are derived from the owner key (column 8, lines 
6-9)]. 

c. Referring to claim 3: 

i. Burns further teaches: 

(1) for performing an enciphering process to the data 
which is written into said second data storing unit based on enciphering data, and 
wherein the data enciphered by said means for performing an enciphering process is 
written into said second data storing unit, and when the data data storing unit based on 
said distribution request data and read out from said second transmitted from said 
second transmitting/receiving said first transmitting/receiving unit, said enciphering data 
is enciphered by said second identification data and said second signal processing and 
transmitted together with the data read out from said second data storing unit [i.e., all 
encryption is done by the network clients (the components of the network that 
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request data from the devices), so that data that travels over the network is 
stored encrypted. The advantage of this approach is that data is encrypted or 
decrypted by the clients as opposed to having the encryption being done at both 
the devices and the clients. In order for the system to revoke access to an object 
(file or directory) on the device, the object must be re-encrypted (column 5, lines 
50-59 and Table 2)]. 

d. Referrinp to claim 4: 

i. Burns further teaches: 

(1) wherein said first signal processing unit decodes the 
data transmitted from said second transmitting/receiving unit and said enciphering data 
by said second identification data stored in said first storing unit and performs decoding 
process of an encryption performed by said enciphering data to the data decoded based 
on the decoded enciphering data [i.e., each file data object, also shown in Figure 2, 
preferably includes the common network object header followed by encrypted file 
data. The network client is responsible for performing encryption and decryption 
of file data. Encrypted file data is seen simply as a random string of bytes by the 
network storage device (column 7, line 36-37)]. 

e. Referrinp to claim 5: 

i. Burns teaches the claimed subject matter, but Burns does 

not clearly mention: 

(1) wherein said first control unit performs an accounting 
process based on said enciphering data . 

ii. However, Cooper teaches: 

(1) the use of the controller both to identify data being 
processed, i.e.. requests to a network storage device need to be authenticated and 
guaranteed for freshness. The storage device also enforces access rights listed in Table 
1 above. A request that will change the state of the storage will be authenticated by the 
device, rather than the client. The results of a request needs to be authenticated by the 
network client to prevent spoofing problems. Furthermore, all requests and responses 
must also be guaranteed fresh to prevent replays (i.e., presenting of copies of requests 
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and responses by sonne other entities in the system to impersonate the true requester 
or recipient) (column 7, lines 57-67). 

iii. It would have been obvious to a person having ordinary skill 
in the art at the time the invention was made to: 

(1) have put accounting process via the controller as 
taught by Cooper under the general database exchange and purchasing functions of 
Burns' invention because the controller keeps track of the data identification and owner. 

iv. The ordinary skilled person would have been motivated to: 
(1) have put accounting process via the controller as 

taught by Cooper under the general database exchange and purchasing functions of 
Burns' invention to insure the owner is paid for his data placing the accounting under 
the control of the controller which keeps track of data ID would prevent duplication of 
resources and increase the throughput in the event large amount of data are 
exchanged. 

f. Referring to claim 6: 

I Burns further teaches: 

(1) wherein said enciphering data has a data portion 
which dynamically changes and said control discriminates said dynamically changing 
data portion, at every predetermined time, in said enciphering data stored in said first 
data storing unit and transmitted together with the data from said second 
transmitting/receiving unit [i.e., there are two types of network objects: directory 
data objects and file data objects. File data objects contain all or part of the file 
data of a file. Directory data objects contain all or part of the directory entries of a 
directory. Each network object on a device is identified by a unique object id. In 
addition, both types of objects are transmitted over the network (column 5, lines 
30-45) and as these data objects must be handled differently, the controller must 
be able to respond dynamically depending on which type of data object is being 
sent. Thus Burns discloses a control unit (i.e., a controller) which dynamically 
responds to changing data portion]. 

g. Referring to claim 7: 
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i. This claim has limitations that is similar to those of claims 1 
and 6, thus it is rejected with the same rationale applied against claims 1 and 6 above. 

h. Referring to claim 8: 

1. Burns further teaches: 

(1) wherein said first control unit inhibits the reading 
operation of the data from said first data storing unit when the discrimination result of 
said dynamically changing data portion indicates that said enciphering data is not 
correct [.e., H(request) is the hash of the request that generated the error, ecode is 
the error code that represents why the request failed, edata is error data that 
gives specific details about why the request failed, keydata is the data that 
corresponds to the key used it the request. K is the key that was used in the 
request. Note, if the request failed due to an invalid key used in the request, 
keydata and K are not used (column 9, lines 63-67)]. 

i. Referring to claim 9: 

i. This claim has limitations that is similar to those of claim 5 
and column 8, lines 1-9. thus it is rejected with the same rationale applied against claim 
5 and column 8, lines 1-9 above. 

j. Referring to claim 10: 

i. This claim has limitations that is similar to those of claims 5 
and 9, thus it is rejected with the same rationale applied against claims 5 and 9 above, 
k. Referring to claim 11: 

i. This claim has limitations that is similar to those of claim 5 
and column 8, lines 1-9, thus it is rejected with the same rationale applied against claim 
5 and column 8, lines 1-9 above. 

ii. It would have been obvious to a person having ordinary skill 
in the art at the time the invention was made to: 

(1) modify Burns to include elapse time as a measured 
parameter because with the concern for data freshness the time which the data update 
is made becomes important, especially if the site is being billed for the update, that is 
the site does not wish to pay for an out of date update. 
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iv. The ordinary skilled person would have been motivated to: 
(1) modify Burns to include elapse time as a measured 
parameter because the controller is the place which takes care of the billing and so this 
would be the most efficient place to control data reading for updates. 
1. Referring to claims 12-13: 

i. Burns further teaches: 

(1) The limitation of encryption device for decoding data 
based on the destination is being move and wherein the control unit deletes data when 
movement in data storage unit is finished [i.e., network objects are used to store 
data on the storage devices. There are two types of network objects: directory 
data objects and file data objects. File data objects contain all or part of the file 
data of a file. Directory data objects contain all or part of the directory entries of a 
directory. Each network object on a device is identified by a unique object id. 
Note that an object id is not reused even if the corresponding object is deleted. 
Each object has an object administrator key, which is used to create the lookup, 
read, extend, delete, and update keys for the object. The backup key is derived 
from the owner key 3 and is used to enumerate the objects on the storage device 
1 and read those objects (column 6, lines 46-58)]. 

m. Referring to claims 14-26 and 35-37: 

i. These claims have limitations that are similar to those of 
claims 1-13 and 11, thus they are rejected with the same rationale applied against 
claims 1 -1 3 and 1 1 above. 

0. Referring to claims 27 and 29-34: 

i. These claims have limitations that are similar to those of 
claims 1-2 and 6-10, thus they are rejected with the same rationale applied against 
claims 1-2 and 6-10 above. 

Response to Argument 

4. Applicant's arguments filed April 22, 2005 have been fully considered but 
they are not persuasive. Please see the above rejection of claim 1 for newly added 
limitation that has been amended by the applicant. 
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Conclusion 

5. Applicant's amendment necessitated the new ground(s) of rejection 
presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See 
MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 
37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to 
expire THREE MONTHS from the mailing date of this action. In the event a first reply is 
filed within TWO MONTHS of the mailing date of this final action and the advisory action 
is not mailed until after the end of the THREE-MONTH shortened statutory period, then 
the shortened statutory period will expire on the date the advisory action is mailed, and 
any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date 
of the advisory action. In no event, however, will the statutory period for reply expire 
later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier 
communications from the examiner should be directed to Thanhnga (Tanya) Truong 
whose telephone number is 571-272-3858. 

If attempts to reach the examiner by telephone are unsuccessful, 
the examiner's supervisor, Kim Vu can be reached at 571-272-3859. The fax and 
phone numbers for the organization where this application or proceeding is assigned is 
703-872-9306. 

Any inquiry of a general nature or relating to the status of this 
application or proceeding should be directed to the receptionist whose telephone 
number is 571-272-2100. 



TBT 

July 07, 2005 
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